b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8

General

Target

b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe
Size

2.0MB
MD5

081752719585907d695572f13eb421c3
SHA1

bd8d5875c1eaf24ba142e2e6dcf54fe19f5fdf98
SHA256

b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8
SHA512

7635f5271d7d21ceb09ec22fa520e368d87f82864ee51b3616b6c919f17854383063d51933468396163ebabd64ba4b485a54188106b0a19b310c354fa311f785
SSDEEP

49152:Y0MjjHCNtsXw5O+LN8J24pkypkkkXUzqnLnteAVD/Oo2TC33GdQLNR:r+ULL8YkAV/yTaWaR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
748	b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe

Executes dropped EXE 1 IoCs

pid	Process
748	b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
4292	2540	WerFault.exe	85
8	748	WerFault.exe	93
1628	748	WerFault.exe	93
3560	748	WerFault.exe	93
2192	748	WerFault.exe	93
3460	748	WerFault.exe	93
1844	748	WerFault.exe	93
4520	748	WerFault.exe	93
2180	748	WerFault.exe	93
3580	748	WerFault.exe	93
3268	748	WerFault.exe	93
3440	748	WerFault.exe	93
3496	748	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe
748	b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2540	b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
748	b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 748	2540	b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe	93
PID 2540 wrote to memory of 748	2540	b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe	93
PID 2540 wrote to memory of 748	2540	b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe	93

C:\Users\Admin\AppData\Local\Temp\b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe
"C:\Users\Admin\AppData\Local\Temp\b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 352
  2⤵
  - Program crash
  PID:4292
- C:\Users\Admin\AppData\Local\Temp\b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe
  C:\Users\Admin\AppData\Local\Temp\b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 344
    3⤵
    - Program crash
    PID:8
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 620
    3⤵
    - Program crash
    PID:1628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 636
    3⤵
    - Program crash
    PID:3560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 672
    3⤵
    - Program crash
    PID:2192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 760
    3⤵
    - Program crash
    PID:3460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 900
    3⤵
    - Program crash
    PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1420
    3⤵
    - Program crash
    PID:4520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1336
    3⤵
    - Program crash
    PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1488
    3⤵
    - Program crash
    PID:3580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1424
    3⤵
    - Program crash
    PID:3268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1532
    3⤵
    - Program crash
    PID:3440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 652
    3⤵
    - Program crash
    PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2540 -ip 2540
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 748 -ip 748
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 748 -ip 748
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 748 -ip 748
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 748 -ip 748
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 748 -ip 748
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 748 -ip 748
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 748 -ip 748
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 748 -ip 748
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 748 -ip 748
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 748 -ip 748
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 748 -ip 748
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 748 -ip 748
1⤵
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b275ad27ef28f1b0b47244b594b6af00d12c715eb8cf3f61c0109ccf52b2beb8.exe

Filesize
2.0MB

MD5
240cf15b12c3ce01e4cb07f826ffc6ba

SHA1
07b21318208058f35e141de0f08608f71bd2f56b

SHA256
409ec15d452d6b7ea82d686c1dda4cdda8df47e31c7dc2525efb3be6ec7f1a87

SHA512
760f2e2a5682f6c49dcb7cc7922fb127f2d631dd334a490c8204da560d940f24b6efda9ed2974f088a23ec30bc634acaffb666e3617b9ebfd4b3ea011db230fd

Download Submit
memory/748-7-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/748-8-0x0000000004FF0000-0x00000000050F3000-memory.dmp

Filesize
1.0MB

Download
memory/748-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/748-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/748-21-0x000000000BB10000-0x000000000BBC8000-memory.dmp

Filesize
736KB

Download
memory/2540-0-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2540-6-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing